I was (probably still am) naive when I read the book; it seems to me the essence of NSM is tying together the most useful streams of data. Who doesn't want correlation? Well, turns out most IDS/IPS vendors. But any points I unfairly deducted for obviousness were swamped by the points awarded for the picking the right types of information for that correlation. I did a lot of this stuff manually without seeing that there was a pattern to what I was doing - I always wanted to know who was involved in an event, to see the packet, and often wanted to see the packet in context. This was really hard before sguil.